VPN tunnel negotiates but only when triggered from one side and IKE/IPSec SA delete request

Posted on 2012-08-25
Medium Priority
Last Modified: 2012-08-26
Hi All,

I have made some big changes to our network infrastructure today as we are due to take over another floor in our building (we've only had one so far).

The relevant changes are the introduction of a Layer 3 switch (as we need to start using VLANs) and the switch from our SonicWall TZ190 to two SonicWall NSA200 (HA solution). The Layer 2 switches were replaced as well.
The SonicWall has got a virtual sub interface set up and assigned to the LAN interface (x0) - this is solely used for wireless.

The connectivity between the floors is fine, the connectivity within the network is fine - my only issue is one VLAN tunnel which initially didn't connect.

We are connecting to a Cisco firewall in a data centre in London via a VPN tunnel from our SonicWall.
This has worked until I changed it over today - all existing rules were copied so there shouldn't be a problem with those.
I tried to connect to the remote servers but a connection couldn't be established. There was only one attempt to establish the VPN tunnel in the log files

IKE responder received main mode request (Phase 1)
IKE responder: Main mode complete (Phase 1)
Received IPSec SA delete request
Received IKE SA delete request

No further attempts anymore after this initial one.

I have then connected to a computer in a remote office which has got a VPN tunnel to the remote firewall set up successfully and from there to our remote servers.
From the remote servers I pinged our internal network (a server in the office network that doesn't connect) and this has triggered the VPN tunnel negotiation as well as a successful connection. I can now RDP to the remote servers from the computers that couldn't previously connect.

[edit] The tunnel has just dropped again after another IKE/IPSec delete request... [\edit]

[edit 2] I've just received the log file entry from our data centre hoster for the time of the disconnection. Keep alive is enabled in the VPN settings...

Aug 25 18:48:07 xxx: IP = 141.x,x,x, Keep-alives configured on but peer does not support keep-alives (type = None)

Aug 25 18:52:23 xxx: Group = 141.x.x.x, IP = 141.x.x.x, Connection terminated for peer 141.x.x.x.  Reason: IPSec SA Idle Timeout  Remote Proxy, Local Proxy

Aug 25 18:54:57 xxx: Group = 141.x.x.x, Username = 141.x.x.x, IP = 141.x.x.x, Session disconnected. Session Type: IPsec, Duration: 0h:42m:51s, Bytes xmt: 146067, Bytes rcv: 227970, Reason: Idle Timeout

Aug 25 18:54:57 xxx: Group = 141.x,x,x, IP = 141.x,x,x, Connection terminated for peer 141.x,x,x.  Reason: IPSec SA Idle Timeout  Remote Proxy, Local Proxy

There's obviously something wrong but what?

Please let me know what more info you require and I'll post it for you.

Thank you!
Question by:Minime85
  • 2

Accepted Solution

Minime85 earned 0 total points
ID: 38333203
Right, by the looks of it turning it off and on again has worked miracles. I'll confirm tomorrow if it's still working!

Author Closing Comment

ID: 38333755
That's still up - the reboot has fixed it

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question